Privacy-friendly QR codes for identity

Retour à la liste des conférenciers et sessions
Écoutez la diffusion
Presenting personal information in the form of a QR code has become a daily reality for many during the Covid pandemic: in Quebec, people showed their immunization information using the government-issued VaxiCode, a SMART Health Card (SHC) credential that follows a medical standard adopted in Canada and in many other countries. The paradigm of presenting information about oneself can easily be generalized beyond this health scenario. In this presentation, I’ll first give an overview of the SHC framework, focusing on its security features and describing its deployment in Canada. I’ll then present a generic framework to issue QR codes that can encode attributes of any type. I’ll introduce a strong privacy feature allowing users to only disclose a subset of the encoded attributes, addressing one of the main privacy critiques of SHCs. Finally, I’ll give a demonstration and describe the open-source specification and reference implementation for this generic framework.

Outline of the presentation:

  • SMART Health Card (SHC)
  • Overview of the SHC framework, and of its overseeing organization VCI
  • Security analysis of SHC, including: key management, cryptographic signatures, revocation of issuers and SHCs, and trust establishment (trusted issuer directory and auditing)
  • Claims QR
  • Presentation of the Claim QR framework for generic attributes
  • Hash-based mechanism for selective disclosure of attributes
  • Overview of the open-source specification and reference implementation
  • Demo (issuance and validation of generic attributes)
  • Q&A

Christian Paquin ,

I’m cryptography and security engineer at Microsoft Research where I aim to bring new research innovations closer to reality. My work focuses lately on privacy-preserving identity, post-quantum cryptography, and content origin and authentication (especially surrounding the work of the C2PA in which I’m a member of the technical working group). Prior to joining Microsoft I was a crypto developer at Zero Knowledge Systems developing a TOR-precursor mixnet and the Chief Security Engineer at Credentica.